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Abstract 

We present a locale that abstracts over the necessary ingredients for constructing a 
minimal bad sequence, as required in classical proofs of Higman's lemma and Kruskal's 
tree theorem. 

1 Introduction 

The so called minimal bad sequence argument was first used by Nash- Williams in [8]; where he 
first proves a variant of Higman's lemma [4] for finite sets, and then - again using a minimal 
bad sequence argument - Kruskal's tree theorem. This proof is usually considered to be simple 
and elegant. To a certain extend we agree, but then again, formalizing a proof (using a proof 
assistant) typically requires us to be more rigorous than on paper. During our Isabelle/HOL 
[9] formalization of Higman's lemma and Kruskal's tree theorem [11] we found that Nash- 
Williams' reasoning for constructing a minimal bad sequence is far from comprehensive. That 
is, assuming that there exists a minimal bad sequence, both proofs can be formalized almost 
exactly as presented in [8]. 1 But to prove the existence of such a minimal bad sequence turns 
out to be rather involved. (A step that is omitted in any classical paper-proof using the minimal 
bad sequence argument we could catch sight of.) 

To this end, we formalized a locale mbs that encapsulates the required ingredients for 
constructing a minimal bad sequence starting from an arbitrary bad sequence. Interpreting 
this locale for lists (with list-embedding) and finite trees (with homeomorphic embedding on 
finite trees) is easy and takes care of the biggest "gaps" in the paper-proofs of Nash- Williams. 

The remainder is structured as follows: In Section 2 we give some preliminaries on well-quasi- 
order (wqo) theory and put our minimal bad sequence construction into context. Afterwards, 
in Section 3, we present our locale and sketch our construction of a minimal bad sequence. 
Then, in Section 4, we give two applications. Finally, we conclude in Section 5. 

2 Preliminaries 



In this section we recall well-quasi-orders as well as Higman's lemma and Kruskal's tree theorem. 
This serves to give a context for our minimal bad sequence construction. Moreover, we give 
basic definitions that are used throughout our formalization. 

In the following we use ^ for an arbitrary (not necessarily reflexive) binary relation on the 
elements of an arbitrary set A (when not stated otherwise). In the literature, well-quasi-orders 
are typically defined as follows: 

Definition 1. A set A is well-quasi-ordered (wqo) by ^ iff ^ is reflexive, transitive, and 
satisfies: for every infinite sequence / over elements of A there are indices i < j, s.t., / i ^ / j. 

'Supported by the Austrian Science Fund (FWF): J3202. 

1 Apart from two claims of the form "the absence of a bad sequence of a certain shape implies the absence of 
any bad sequence," whose proofs are omitted. 
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Using the terminology of [8] an infinite sequence / for which we have indices i < j, s.t., 
/ i d: f J 1 is called good. A sequence that is not good is called bad. Moreover, a relation < 
satisfying the last condition of Definition i (i.e., all infinite sequences over elements of A are 
good) is called almost full. 2 

Now consider the above concepts as defined in our Isabelle/HOL formalization, where we 
encode binary relations by functions of type a a =>• bool (i.e., binary predicates) and infinite 
sequences by functions of type not a. 

An infinite sequence / is good (w.r.t. a binary predicate ^), written good^(f), iff 3 i j. i 
<jAfi^fj. It is bad (w.r.t. <), written bad^(f), iff it is not good. A binary relation 
^ is reflexive on a set A, written reflj^(^), iff V a£A. a ■< a. It is transitive on A, written 
trans a(^<), iff V a^A. V ' b&A. V c€A. a< b A b < c — > a < c. It is almost full on A, written 
«/ J 4(^)j iff V/. (y i. f i € A) — s- good^(f). The relation ^ is a wqo on A, written wqo A (-<), 
iff transA^) A af It is well-founded on A, written wf a(^±)i iff ~> (3/. Vi. / i 6 A A / 

(i + 1) ■< f i) (i.e., there are no infinite descending sequences over elements of A). It is easy to 
see that every almost full relation is also reflexive. 

Lemma 1. af refl^idi) 

Proof. Take an arbitrary but fixed x £ A. We have to show x < x. To this end, consider the 
infinite sequence f i = x, which is an infinite sequence over elements of A and thus, since ^ is 
almost full, we obtain indices i < j with / i ^ f j. Since / equals x at every position, we obtain 
the required x < x. □ 

Thus, any almost full relation that is transitive is a wqo and the other way round. Since, in 
our formalization, we strive for minimality, and furthermore transitivity is not required in the 
proofs of Higman's lemma and Kruskal's tree theorem (and typically easily added afterwards), 
we concentrate on almost full relations. 

Before we continue, note that wqos are interesting (at least) due to the following fact: The 
strict part -< of a wqo ^ is well-founded on A. Where x -< y = (x ^ y A y ^ x). 

Lemma 2. wgo^(^) => wf a{~<) 

Proof. Assume to the contrary that -< is not well-founded on A. Then there is an infinite 
descending sequence / over elements of A. Hence, for all i < j we have / j -< f i, since -< is 
transitive. Moreover, since -< is irreflexive, f i ^ f j for all i < j. Thus / is bad, contradicting 
the fact that < is almost full. □ 

Now, consider Higman's lemma and Kruskal's tree theorem as stated in our formalization. 

Lemma 3 (Higman's Lemma), wqoj^^) ==> wqo a* (^ em b) 

Theorem 1 (Kruskal's Tree Theorem). wqo^id:) wqo T(A) (^emb) 

In the above two statements, A* denotes the set of finite lists built over elements of A and 
T(A) denotes the set of finite trees built over elements of A. The binary relation ^ e mb, denotes 
homeomorphic embedding on finite lists and finite trees, respectively (see Section 4 for concrete 
definitions). (Note that the interesting parts of the above proofs correspond to af a(<) 
a/A*(^emb) and af A {-<) => af T ^(^ emh ), respectively.) 

In both proofs (as presented by Nash- Williams) the existence of a minimal bad sequence 
is essential. However, the only thing Nash- Williams has to say about the construction of a 

2 The notion almost full was first introduced in [13] and very recently revived in [14]. 
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minimal bad sequence is roughly (where we use A° to denote the set of "objects" built over 
elements of A; which might refer to the set of finite subsets, the set of finite lists, the set of 
finite trees, ... in a concrete case): 

Select an x\ £ A° such that x\ is the first term of a bad sequence of members of A° 
and \xi\ is as small as possible. Then select an x 2 such that x\, x 2 (in that order) 
are the first two terms of a bad sequence of members of A° and \x 2 \ is as small as 
possible [...]■ Assuming the Axiom of Choice, this process yields a [minimal] bad 
sequence [...] 

Interestingly, most non-formalized proofs of Higman's lemma and Kruskal's tree theorem in the 
literature (that the author is aware of) are similarly vague about the actual construction of a 
minimal bad sequence. The point is that a crucial proof is missing in the above recipe, namely 
that it is actually possible to select elements as described. 

In the next section we make the notion minimal bad sequence more concrete (i.e., answer the 
question: "Minimal in what sense?") but at the same time abstract over the basic ingredients 
( "What are the properties that have to be satisfied for a minimal bad sequence to exist?" ) . 



3 Constructing Minimal Bad Sequences 

We encapsulate the construction of a minimal bad sequence over elements from a given set 
(which we call objects) inside a locale taking the following arguments: 

• a function A° that returns the set of objects that are built over elements of A, 

• a relation < that is used to check whether an infinite sequence of objects is good (where 
;< is a relation on elements of A), 

• and a relation < used for checking minimality (whose reflexive closure is denoted by <). 
The required properties are: 

• right- compatibility of < with ;< : \x < Q y, y < z} => x < Q z 

• well-foundedness of < on elements of A°: wf^o(<) 

• transitivity of <3: \x <\ y; y <3 z] =>■ x < z 

• < reflects the property of being in A°: \x < y; y £ A°] => x £ A° 

In the following, we will need a way of piecing together infinite sequences. Given two infinite 
sequences / and g, we can splice them at position n, s.t., in the resulting sequence all elements 
at positions smaller than n are taken from / and all others are taken from g. This operation is 
written f{n)g and defined by f(n)g = Xj. if n < j then g j else f j. 

Furthermore, we say that an infinite sequence / is minimal at a position n, written min n (f), 
if all "subsequences" of / that coincide on the first n — 1 elements and have a smaller (w.r.t. 
<) n-th element are good (w.r.t. ^ Q ). The sense in which we use "subsequence" here, is made 
clear by the following definition: 

min n (f) = Vg. (Vi<n. gi=fi)hgn<fnh (Vi>n. 3j>n. g i < f j) — ► good^ o (g) 
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which makes sure that objects in g only contain elements that where already present in some 
object of /. 

Now the key lemma in the construction of a minimal bad sequence is the following: 



[/ (n+ 1) G A°- min n (f); bad± (f)} 
=>■ 3.9. (VKn. g i = fi) A 

g (n + 1) < / (n + 1) A 

(Vi>n + 1. 3 j>n + 1. 5 i < f j) A 

bad ^JJ(n + l)g) A min n + i(f(n + l)g) 

Proof. Let P(/) abbreviate the conclusion of the key lemma. We use the well-founded induction 
principle induced by the well-foundedness of < on the term / (n+1). As a result, we have to 
show P(g) for some arbitrary but fixed sequence g. We proceed by a case analysis on whether 
g is already minimal at position n+ 1 or not. For details, check [11]. □ 

By Lemma 4 we obtain a bad sequence that is minimal at n + 1 from a bad sequence that 
is minimal at n. This allows us to inductively define a (globally) minimal bad sequence. The 
only missing part is that there actually is a bad sequence that is minimal at 0, which is shown 
by the following lemma: 

Lemma 5. [f £ A°; bad^ o (f)j =^3g. (Vi. 3j. g 1 < / j) A min (ff) A bad^ a {g) 

Proof. We use the same techniques as in the proof of Lemma 4, but the second part of the case 
analysis is considerably simpler. □ 

Finally we are in a position to show the existence of a minimal bad sequence over objects 
constructed from elements of A. 

Theorem 2. 



Proof. By Lemma 4 (which holds for every / and n) and the Axiom of Choice, we obtain a 
choice function i>, s.t., u(f,n) yields the corresponding witness. Moreover, by Lemma 5 we 
obtain a bad sequence g that is minimal at 0. This allows us to define the auxiliary sequence 
of sequences m ' recursively by: 



The actual minimal bad sequence is then m(i) = m'(i)(i). And the proof is (mainly) shown by 
induction over i (after considerably strengthening the induction hypothesis). Again, we refer 



Lemma 4. 



[Vt./»eA°; bad± (f)] 



3g. bad-i o (g) A (Vra. min n {g)) A (Vi. g i £ A°) 



m'(0) = v(g,0) 
m'(n + 1) = m (n)(n + l}v(m (n), n) 



to [11] for the gory details. 



□ 
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4 Applications 

Our current applications for the mbs locale are Lemma 3 and Theorem 1 (where the former is 
used in the proof of the latter). Thus, we have to interpret the locale once in the context of 
lists and once in the context of finite trees. For the latter we use the datatype 

datatype a tree — Node a (a tree list) 

representing finite (non-empty) trees (isomorphic to ground terms of first-order term rewriting 
as used in [12], where we want to apply our formalization of wqo theory eventually). 

The three parameters for the list case are listsv.a set =>• a list set (the set of lists over 
elements from a given set), diemb'-'-ct list a list => bool (homeomorphic embedding on lists) 
and < (the suffix relation on lists), where we use the following definitions: 

Definition 2. The homeomorphic embedding on lists, w.r.t. an arbitrary relation < on list 
elements, is defined inductively by 

[] ^emb ys 

XS ^emb yS =^ XS ^ e mb V # 2/S 

[x ^ y; xs ^emb ys] => x # xs ^ emb y # ys 

which essentially says that we are allowed to drop elements or replace elements by smaller ones 
(w.r.t., ^) when going from right to left. The suffix relation on lists is given by 

xs < ys = 3 us . ys = us @ xs A us ^ [] 

In order to obtain a <-minimal ^ e mb-bad sequence we have to prove the properties: 

{XS ^emb yS] ys < ZS] => XS ^emb ZS 

wf A *{<) 

[xs < ys; ys < zs] =>• xs < zs 
[xs < ys; ys G ^4*] =S> xs G A* 

all of which are easy. 

For the tree case, the parameters are T(A)::a tree set (the set of trees over elements from a 
given set), ^emb'-'-ct tree => a tree =>• bool (homeomorphic embedding on trees) and < (the sub- 
tree relation; similar to the subterm relation on terms), where we use the following definitions: 

Definition 3. The set of trees over elements from A is given by 

[x G A; ts € T Ust(A)] Node x ts e T(A) 
6 T Us t{A) 

[t G T(A); ts G T Krt(A)] =► t # ts G T m (A) 

Homomorphic embedding on trees, w.r.t. an arbitrary relation ^ on tree elements, is defined 
inductively by 

t G set ts ==> t ^emb Node f ts 

[f r< g; ss ^= mb ts} =► Node f ss ^ em b Node g ts 

[S ^emb t; t ^ emb u] => S ^emb U 

s ^emb t => Node f (ss @ s # ts) ^emb Node f (ss @ t # ts) 
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The subtree relation is defined inductively by 
t G set ts ==> t < Node x ts 
[s < t; t 6 sei is] => s < iVode a; te 

In order to obtain a O-minimal ^emtrbad sequence we have to prove the properties: 
[s ^ emb t; t < u] => s ^ emb u 
w /t(A)(<0 

[s < t; t < u] =>■ s < m 

HMe T(A)] =^ s e T(A) 

all of which are relatively easy. 

Our bigger concern was (and rightly so) whether our definition of homeomorphic embedding 
on trees really corresponds to what is usually used in the literature. To this end, we used the 
definition of homeomorphic embedding that is used in term rewriting (for first-order terms) as 
our specification. 

Definition 4. Let £ mb(^) be the (infinite) term rewrite system consisting of the following 
rules: 

f(ts) — > t if t G set ts 

f(ts) -> g(ss) if g ^ / and ss = emb ts 

We were able (after adapting our initial inductive definition several times) to prove 3 that 

s ;< emb t < > t ->-£ mb (^) s 

which reassures us that our definition is correct. (Note that for this proof we had to use the 
datatype datatype (a, ft) term — Var ft \ Fun a ((a, ft) term list) instead of a tree. However, 
it is easy to see that those two datatypes are isomorphic when disregarding variables.) 

Definition 4 is an adaption of the (potentially finite) term rewrite system from [6, Definition 
3.4], where we reuse the definition of homeomorphic embedding on lists and avoid variables in 
order to simplify the above proof. 

5 Conclusions and Related Work 

There have been formalizations of Higman's lemma in other proof assistants [7, 2, 3, 10, 5] 
and also in Isabelle/HOL [1] (but restricted to a two- letter alphabet of list elements). Those 
existing formalizations usually strive for constructive proofs, whereas our approach is purely 
classical. However, to the best of our knowledge our work [11] constitutes the first formalization 
of Kruskal's tree theorem ever. 

Furthermore, [15] could already make use of our formalization of Higman's lemma for for- 
malizing the following: For an arbitrary language L, the set of substrings/superstrings of words 
in L is regular. 

A final remark, during the whole formalization process one of the key points was to go 
away from proving facts (about binary predicates) on whole types and instead make the carrier 
explicit. To this end, predicates like reflji(^), trans A(di), wf^(^), . . .have been most helpful 
and we plead to include them in the standard Isabelle/HOL distribution and introduce their 
"implicit" cousins (working on whole types) as abbreviations. 

3 See theory Embedding_Trs in the IsaFoR repository http://cl-informatik.uibk.ac.at/software/ceta. 
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